Why Need MFA? Differences between 2FA and MFA - Win-Pro Consultancy Pte Ltd

Why Need MFA?

Having a complex passwords are not secured anymore. From simple relaying and malware attacks to the more sophisticated threats of spear-phishing and pharming, hackers have developed many tried and tested ways of stealing user password credentials and gaining unauthorized access to private user accounts.

Microsoft engineers discovered that almost all of the account compromise incidents they deal with could have been blocked by a multi-factor authentication (MFA). 

Multi-factor authentication (MFA) 

Differences betwewn 2FA and MFA 

There are three main components of MFA.

  • Password
  • Physical of Digital Token
  • Biometric verification 

Two-factor authentication (2FA) uses two of these possible ways to check and authorize a user’s access attempt, whereas MFA uses two or more of these checks. This makes MFA a stronger solution than 2FA.

Most people are just uncomfortable changing passwords so often. Most people used similar or even same password across all of their access to the applications. Hacker need to gaining access to a single application and all of the applications are compromised.

As we are transforming digitally, having A MFA is becoming to be more important now.

 

Can still use 2FA? 

SMS OTP 2FA is 2nd most unsecure but the most popular solution for a reason: it’s easy to implement, affordable, and, most importantly, it works the majority of the time. For the simple fact that receiving 2FA codes via SMS is less secure than using an authentication app. Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your Social Security number, data that tends to get leaked from time to time from banks and large corporations. Once a hacker has redirected your phone number, they no longer need your physical phone in order to gain access to your 2FA codes.

Email 2FA remains the most unsecure of all the approaches, simply because an email address is not tied to a specific device and it’s possible to compromise a large number of accounts once you have someone’s email password. 

 

Are all MFA the same? 

Like most of us, we know about the importance of using MFA. Most of us using free readily available authenticator like Google Authenticator and Microsoft Authenticator. Are they safe to use? Google Authenticator's weakness is exposing the recovery backup public secret to the user and the secret is displayed as QR or plain text without hashing or any encryption. There is also no passcode or biometric lock on the app. It is so easy for the malware to access the codes easily.

Microsoft Authenticator is slightly better. It has App Lock which uses facial biometric detection before you can access the application. It lacks application protection, which cause security issues when you are running the authenticator on an older version android or IOS. Hackers are likely to make use of the mobile vulnerabilities present in the older version or rooted Android devices or jailbroken IOS devices.   

There are many MFA solution in the market. You can consider Cisco Duo Security, Auth0 and V-Key

 

V-KEY V-OS Trusted Identity 2FA for SAML Radius OIDC FIDO2- Yearly Subscription

Microsoft Mobile Phone Authenticator App | Microsoft Security

 

  

References

Android malware can steal Google Authenticator 2FA codes | ZDNet

Microsoft Authenticator: A False Sense of Security? - Transmit Security